ID. Date of interview 
date 4/92/20 


ID. Time interview started 
start 43:00:00 


ID.end Completion date of interview 
Date 4/02/20 


ID.end Time interview ended 
13:37:29 


ID. Duration of interview 
time 37.48 


Start of new case 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 
O) Yes 
© No 
©) Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


It would be helpful to have more examples of documents to provide, e.g. 1. Emails - If an email is sent to 
all employees with a list of open jobs the data subjects email address would be included in the list of 'To's' 
this email is sent on a weekly basis - would we need to provide 52 copies of this. 2. WhatsApp messages 
- what would be considered 'reasonable' to provide these if they are on corporate devices. 3. If an 
employee has been with a company for 25 years, imagine the number of emails sent - if the data subject 
requested 'All Data' how would this be carried out. 


Q3 


Does the draft guidance contain enough examples? 
O) Yes 
© No 
©) Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


See my answer to Q2. 1. Weekly reports - that contain the data subjects name, for example Mileage - 
would we need to provide 52 copies of the report - or could we cover it by saying 'your name appears in 
xxx report’ 2. Emails sent to 'everyone' announcing a colleagues birthday: cakes are available on xx desk 
- would we need to include these. 3. If a data subject requests ‘All Data' what would be considered a 
reasonable search if we don't have automatic tools within outlook to look for names. Would asking the 
line manager and team members + HR, specific departments be sufficient? 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 
unfounded or excessive’ subject access requests. We would like to include a wide 
range of examples 
from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 
requests below (if applicable). 


‘All Data’ when an employee has worked for a company for 5+ years. Systems have 
changed. Multiple managers, they have worked on multiple projects etc. Specifically 
on emails. Where an email chain is 20 emails long, do we need to provide all 20 or 
just the latest. How can we be sure its the latest. The reality is that when we ask 
manager to provide emails we get the same email so many times, the only way to 
manage this is to create a folder for each manager to put their emails in, we then 
allocate a folder for redaction, the same email could be in multiple folders but as 
different people are doing the redaction they don't see the duplication. This is taking 
so much time and also not the ideal for the data subject as they receive so many 
copies. We do not have the budget for clever software so are doing this manually. 
The time frame is also difficult - if a manager requested to provide data is away on 
holiday for 2 wks for example, we immediately loose 2 weeks if that person has lots 
of data to provide then the redaction can take a long time depending on the content. 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-—Slightly Moderately 4-Very 5- Extremely 
useful useful useful useful useful 


© 


Q6 Why have you given this score? 


Because it doesn't go far enough on specific examples. Guidance on how to redact, 
what tools can be used, how to redact. What to consider. How to search for personal 
data in an email, is the fact that the email is sent to the data subject but the content 
of the email is regarding a business matter, e.g. arranging for a customer visit. 
would this email still be considered personal data, even if the data subject has 
already seen it. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


The document is clear but doesn't give enough examples or operational guidance. 


Q9 Are you answering as: 
C) An individual acting in a private capacity (eg someone providing their views as a member of the public) 
(`) An individual acting in a professional capacity 
© On behalf of an organisation 
(C) Other 
Please specify the name of your organisation: 
Schneider Electric 


What sector are you from: 
Energy Efficiency 


Q10 How did you find out about this survey? 
C `) ICO Twitter account 
(_) ICO Facebook account 
©) ICO LinkedIn account 
©) ICO website 
( ) ICO newsletter 
(_) ICO staff member 
( ) Colleague 
(_) Personal/work Twitter account 
\_) Personal/work Facebook account 
©) Personal/work LinkedIn account 
C) Other 
If other please specify: 


